Security plan for MCCS Network

Abstract
Previously we have designed a network for MCCS which was based on the given requirements,
but security of the network was an issue. In this document detailed explanation of the system
security and Its plan along with the cost of the security equipment is presented. We need a
firewall to block web traffic to specific users and a specific Access point. So, firewall along with
the radius server is implemented in the server room connected to the core-network to provide
user-based access control to VOIP users and a port based firewall is implemented over the POE
switch which can be software or hardware depending on the type of the POE switch to block
web traffic access to ROOM D Access point. At the end different security equipment are
analyzed based on their price, properties and requirements and suggestion is given to the
management.

Introduction
Going wireless gives you the mobility but at the cost of sharing media for communication. Being
wireless means that your data will be sent to you via shared medium which is can read or
modified by an external user or intruder. For that purpose, you need to encrypt your
information. Encryption is securing your information with a code or key which can be decrypted
using the same or a different key of the set.
In wireless network for this purpose there are two main encryption schemes: WEP (Wired
Equivalent Privacy) and WPA (Wi-fi Protected Access) which is a universal standard and almost
all of the devices use the same type of encryption. WPA2 is a new more secure type of
encryption and is currently adopted by most of the devices. Different attacks can occur on the
system if security is not ensured.

Figure 1- Summarization of Wireless Security Requirements

Impersonation Attack occurs when the authentication is not fully supported, and an intruder
can become part of the system. He then takes control of the system and can change the
Network Management system. Another type of attack where the intruders listen to the
communication between the nodes and collect important information during session creation
about the MAC and Encryption Keys etc. and this type of attack is normally known as
eavesdropping. Spoofing is when a node bypass network access control or show itself as a
known node and enters the network where it can steal information or can change network
configuration. Denial of Service attack, monitoring Passively and Accessing system Without
authorization are the main attacks which can make privacy vulnerable and needs security
enhancement for avoiding.
In rest of the document literature review contains information about the previous work done
on the same topic. While design of network security contains information about the network
security plan of the previous designed network of MCCS. Conclusion summarizes the whole
document.

Literature Review
Wireless communication is the demand of the world these days and is growing massively [1],
[2]. Currently there are almost 8 Billion subscribers of the wireless Communication in the world
which is almost 45% of the world population [3]. But with increase in the wireless
communication devices, an increase in the cyber-criminal activities has also occurred. Which is
threat to the system and users. Wireless system also uses the same OSI architecture as used by
the wired network. Encryption and cryptography secures our data for unintended users and
transmit it thorough the channel with security that it will not be disclosed but only to the
intended receiver [4]. This is achieved the cost of addition computational resources/ complexity
and delay in the communication as encryption and decryption require some extra time [5], [6].
For ensuring authenticity of the users’ different approaches are used at each layer from MAC
layer to Transport layer [7]–[9].
At MAC Layer, the user is authenticated via an address known as MAC address which is
normally achieved through MAC Filtering. At network layer the Wi-Fi Protected access (WPA)
and the WPA-II are used for authentication and access to the network while SSL and TSL are
used for security provision at transport layer [6], [10], [11]. As we know that wireless networks
normally broadcast the information which becomes an issue because this information can be
read by any user and can attack the network using Man in the middle attack, Eavesdropping
attack, injection attack or spoofing attack. [12]–[15]. A malicious user can read the data within
the range of the network and can manipulate the data or can get access to the system by
knowing the system credentials like the cryptographic/ encryption key etc. the communication
is normally secured by this scheme such that a malicious user or eavesdropper may not
intercept data between the users because this cryptography requires very high computation
power to break it [16], [17]. These days artificial noise is added to the wireless channel and
digital signal processing is carried out over it to make it secure and unencryptable for
eavesdropper.
For securing wireless transmission against wireless attack we need to provide wireless security
to the system, which can be achieved via confidentiality, encryption and authentication [18].
The system must also be secured from denial of service and must be made available all the
time. While it’s integrity must be ensured such that no information change has occur and exact
information reaches to the intended user.
Design of network security
Now as we are assigned a task to make some changes in the system which was previously
designed for MCCS and introduce firewall according to the given specification. Previously we
are having a core network which is connected to the backbone/ internet via stacked core
switch. The core switch is connected to a POE switch, which is further connected to the Access
Points. The core network was having all the servers installed and connected. In which radius
switch was also installed. Now we are given 4 tasks and we will go through them separately.
1. Installation of Firewall:
The system is required to install a firewall which will disable access to the http and https
i.e. web services to all the VOIP users. This can be achieved via installation of a firewall
in the core network. In our previous report we have added details about the server
room that will present in the IT Room and will be directly connected to the main stacked
core switch. This core switch will use 802.1a for controlling of the firewall i.e. AAA
(Authentication, authorization, access) for controlled access of the users to the network.
As in the design process we were sure that there will be a radius server connected to
the stacked core switch and present in IT room so that radius server will be used for
Access Control List (ACL) to provide access to specific users.

Core
Switch Firewall

Gigabit Links

Non PoE Switch Non PoE Switch PoE Switch Controller

100Mbps Link

Access Point
Access Point Firewall Access Point

For limiting the web access (Http and Https) to Room D, we cannot use the firewall at
the core network as in our scenario as we haven’t introduced VLANs in the wireless
network to limit access to a specific Access Point. For that reason, a separate firewall
needs to be installed after the POE Switch and the Access point of room D. The access
point at room D is having power over the ethernet so a separate power adapter will be
installed to provide power to that access point. This insertion of firewall will block all
web traffic over this port of the POE Switch and thus will block web traffic to room D.
And hence only traffic other than web services will be allowed to enter or leave this part
of the network. There can be another option, but it depends upon the type of POE
 switch. Some POE switches have a software firewall implemented in them so in that
case extra hardware is not required to be implemented but on POE Switch a firewall
need to be enabled on that specific port.
Regarding the number of firewalls, I have already mentioned that if the POE Switch is
having built-in software firewall then we don’t need to install the 2 nd hardware at this
moment. Otherwise over our designed network a single firewall can’t be used because
the VOIP users need to be blocked from main firewall using the radius switch as
explained earlier and traffic to specific room can be blocked via using firewall at that
specific port so that’s why 2 physical or one software and one hardware firewalls are
required. If the designed network scenario is different i.e. the designers have
implemented VLANs and only wireless network, then no need of extra firewall at the
POE Switch can do all the functions.
2. As we have introduced the AAA server which is part of the radius server in the network
so the mobile devices will have to be authenticated to be given access to the network.
The AAA server is normally implemented via 802.1a standard.
3. Now we need to discuss the products that I prefer for the network. Different
organizations provide different security solutions at different costs.
VERNIER NETWORK’s, 6500 series and the VNX software provide a single box integrated
solution for small networks as we have designed. The software contains right’s
management, packet filtering, policy enforcement, instruction detection and domains
administrator. The cost of each one such server is almost 800$.
CISCO’s Aironet family comes with Access points which is providing a full security suit
deployed on IEEE 802.11X. it can provide you all the security i.e. TKIP, WEP, AES, WPA
and WPA-2. It can block the DOS attack and also identify it’s source, it supports all kind
of firewalls. The cost of a single wireless Access point ranges from 250-600$.
BLUESOCKET provides the network with VPN-equivalent security i.e. the IP Sec and the
PPTP. It has a unique network management solution with role-based access control with
bandwidth control. It provides seam-less transfer between two wireless APs without re-
authentication. It has an intrusion detection system as well for security and can work
integrate with any access point. The cost is around 800$.
PROXIM is one of the manufacturers of the wireless market which provides up to the
mark products with security ensured. It’s AP-2000 and 4000 comes with support of
every kind of wireless security and is based on 802.1X along with Extended
authentication Protocol (EAP). Its cost is almost 100-200$ and it can implement per user
and per session dynamic keys and also rogue AP detection.
As we know that, our solution will provide this type of security so I would prefer Vernier
Networks 6500 series server such that every kind of firewall, filtering and policy
Enforcement can be implemented on our network along with that I will prefer the
CISCO’s Aironet’s family access point to have all the authentication and also have the
intrusion detections system implemented.
Conclusion and Summary
Wireless network is need of the time and are implemented almost everywhere from home to
offices. These systems are although a luxury but at the same time it can compromise our
security, and which requires different techniques such that this security may not be
compromised. For that reason, access to the network need to be authenticated, and its data
need to be encrypted such that malicious users can’t read it. the users which are
communicating must be confident that their data is secure and without any alteration while this
service need to be available according to the need of the user without the continuous attacks of
the attackers to shut down or overload our communication system. We provided firewall for
the system and made it secure from intruders by providing firewall services at the core
network. Also, some users were given restricted privileges based on the requirements of the
users. FP Sense is considered as one of the best firewalls to be used in the system.

References
[1] O. G. Aliu, A. Imran, M. A. Imran, and B. Evans, “A survey of self organisation in future
cellular networks,” IEEE Communications Surveys and Tutorials. 2013, doi:
10.1109/SURV.2012.021312.00116.
[2] H. Elsawy, E. Hossain, and M. Haenggi, “Stochastic geometry for modeling, analysis, and
design of multi-tier and cognitive cellular wireless networks: A survey,” IEEE Commun.
Surv. Tutorials, 2013, doi: 10.1109/SURV.2013.052213.00000.
[3] International Telecommunications Union, “ICT facts and figures 2017,” 2017.
[4] M. E. Whitman and H. J. Mattord, “Principles of Information Security Fourth Edition,”
Learning, 2011.
[5] Y. Xiao, H. H. Chen, B. Sun, R. Wang, and S. Sethi, “MAC security and security overhead
analysis in the IEEE 802.15.4 wireless sensor networks,” Eurasip J. Wirel. Commun. Netw.,
2006, doi: 10.1155/WCN/2006/93830.
[6] G. Apostolopoulos, V. Peris, P. Pradhan, and D. Saha, “Securing electronic commerce:
Reducing the SSL overhead,” IEEE Netw., 2000, doi: 10.1109/65.855475.
[7] K. H. M. Wong, Z. Yuan, C. Jiannong, and W. Shengwei, “A dynamic user authentication
scheme for wireless sensor networks,” in Proceedings - IEEE International Conference on
Sensor Networks, Ubiquitous, and Trustworthy Computing, 2006, doi:
10.1109/SUTC.2006.1636182.
[8] W. Diffie, “Privacy and Authentication for Wireless Local Area Networks,” IEEE Pers.
Commun., 1994, doi: 10.1109/98.295357.
[9] M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the
Internet of Things notion,” Ad Hoc Networks, 2014, doi: 10.1016/j.adhoc.2014.03.009.
[10] A. H. Lashkari, M. Mansoori, and A. S. Danesh, “Wired equivalent privacy (WEP) versus
Wi-Fi protected access (WPA),” in 2009 International Conference on Signal Processing
Systems, ICSPS 2009, 2009, doi: 10.1109/ICSPS.2009.87.
[11] K. J. Hole, E. Dyrnes, and P. Thorsheim, “Securing Wi-Fi networks,” Computer (Long.
Beach. Calif)., 2005, doi: 10.1109/MC.2005.241.
[12] S. Lakshmanan, C. L. Tsao, R. Sivakumar, and K. Sundaresan, “Securing wireless data
 networks against eavesdropping using smart antennas,” in Proceedings - The 28th
International Conference on Distributed Computing Systems, ICDCS 2008, 2008, doi:
10.1109/ICDCS.2008.87.
[13] D. R. Raymond and S. F. Midkiff, “Denial-of-service in wireless sensor networks: Attacks
and defenses,” IEEE Pervasive Comput., 2008, doi: 10.1109/MPRV.2008.6.
[14] B. Kannhavong, H. Nakayama, Y. Nemoto, N. Kato, and A. Jamalipour, “A survey of
routing attacks in mobile ad hoc networks,” IEEE Wirel. Commun., 2007, doi:
10.1109/MWC.2007.4396947.
[15] U. Meyer and S. Wetzel, “A man-in-the-middle attack on UMTS,” in Proceedings of the
2004 ACM Workshop on Wireless Security, WiSe, 2004, doi: 10.1145/1023646.1023662.
[16] T. Ohigashi and M. Morii, “A practical message falsification attack on WPA,” Procedings
Jt. Work. Inf. Secur. …, 2009, doi: 10.1145/1629575.1629606.
[17] C. Paar and J. Pelzl, “Understanding cryptography a textbook for students and
practitioners,” 2013.
[18] G. Cao, J. P. Hubaux, Y. Kim, and Y. Zhang, “Security and privacy in emerging wireless
networks,” IEEE Wireless Communications. 2010, doi: 10.1109/MWC.2010.5601952.